With less than two weeks for the European Union's General Data Protection Regulation (GDPR) to go into effect, Google on Friday listed the multiple measures the company has taken to ensure its cloud services comply with data privacy mandate.
Among them are updates to the company's data processing terms and conditions, new data portability features and updated terms pertaining to breach disclosures and incident reporting.
"Compliance is central to Google Cloud’s mission of protecting the privacy and security of our customers’ information," said Google Cloud directors Suzanne Frey Marc Crandall in a blog May 11. "We’ll continue our work in this space, and are committed to helping you meet your GDPR compliance needs."
GDPR, often touted as one of the biggest ever privacy mandates requires organizations handling personal data belonging to EU residents to implement certain controls for protecting the data. It requires companies to clearly spell out their privacy policies, inform individuals about any personal information of theirs that is being collected and the purpose of that collection.
GDPR requires companies handling EU resident data to obtain informed consent from users before collecting, using or sharing the data and imposes strict new requirements for breach disclosures.
The mandate gives individuals unprecedented access and control over their personal data. Among other things, GDPR gives EU residents the right to ask companies such as Google for a copy of any of their personal data that might have been collected.
The mandate gives EU residents the right to ask companies to correct any errors that might exist in the data. Personal data, under GDPR, needs to be portable so the data can be easily transferred to others when a user requests it.
Google, like other companies handling EU data has been working on complying with GDPR requirements for some time. Under GDPR, Google Cloud generally acts as a data processor and as such the company is required to process data only as instructed by customers, Frey and Crandall said in their blog.
The company has updated its data processing terms for Google Cloud Platform and its G Suite of hosted productivity apps. The updates clearly spell out Google's privacy commitments and the company's shared responsibility for protecting customer data under GDPR, the two Google directors stated.
To ensure compliance with GDPR's data portability requirement Google has introduced a new data export feature that makes it easy for businesses to download a copy of their business data from G Suite and Google Cloud Identity services, Frey and Crandall said.
Google has also updated the language around its incident notification procedures so that they are now compliant with GDPR's requirements. In addition Google's existing measures such as encryption of data at rest, its Cloud Data Loss Prevention technology and its data classification, discovery and monitoring tools help ensure compliance with the EU mandate's requirements for protecting sensitive data.
Google also provides an audit log so enterprise administrators know whenever Google's cloud support and engineering teams might need to interact with their business data.
"We also offer model contract clauses affirming that G Suite and [Google Cloud Platform] contractual commitments fully meet the requirements to legally frame transfers of data from the EU to the rest of the world," Frey and Crandall said.